Some of the cyber attacks that shut down thousands of computers at banks and broadcasters in South Korea used stolen user IDs and passwords, say researchers.
Analysis of the attacks by researchers at security firm AhnLab found stolen credentials were used to gain access to patch management systems on the affected networks.
The patch management systems were then used to distribute malware in the same way as they distribute software updates.
The security company denied that any AhnLab server or product was used by the attackers to deliver the malicious code, as indicated in some initial reports of the cyber attacks.
The company said analysis revealed that any organisation using AhnLab’s Malware Detection System would be protected from the malware used in the attacks.
The malware code targeted organisations’ servers and destroyed the systems’ ability to boot.
Read more about critical infrastructure
- Is UK critical national infrastructure properly protected?
- Government monitors companies supporting critical national infrastructure
- Critical infrastructure security: Electric industry shows the path
- C Management and critical infrastructure protection
- NetWars CyberCity missions to improve critical infrastructure protection
- Steve Lipner on the Microsoft SDL, critical infrastructure protection
However, the company said the attacks highlighted the fact that the rapidly evolving threat landscape is changing by the minute. Attacks were becoming more targeted, sophisticated and capable of evading traditional security systems, said AhnLab.
More than 32,000 servers managed by broadcasters and banks in South Korea were hit in what some experts are calling one of the largest multiple-targeted cyber attacks in South Korea's history.
The shutdowns affected Shinhan Bank, Nonghyup Bank, Munhwa Broadcasting, YTN and Korea Broadcasting System.
Investigators initially linked the attacks with an IP address in China, but later admitted they had made a mistake and that the IP address concerned actually belonged to one of the companies that were hit.
Officials said the IP address was used only for the company's internal network and was identical to a public Chinese address.
But investigators said an analysis of the malware used indicates the attack was likely to have come from outside South Korea, but stopped short of naming a country.
Initially suspicion fell on neighbouring North Korea as tensions remain high between the two countries after North Korea’s recent nuclear test and subsequent UN sanctions.
Cyber security experts have said the investigation will take weeks, but it is uncertain whether the source of the attack will be identified with any certainty, as attribution on the internet is extremely difficult.
The attack on South Korea came just over a week since North Korea accused South Korea and its US ally of "intensive and persistent" hacking attacks on its internet servers.
Security experts have said the choice of targets is telling of the trend that the chief candidates for attack are increasingly likely to be global financial markets and critical infrastructure systems.
Cyber attacks on critical national infrastructure is a top concern in the US, where president Barack Obama has signed a cyber security executive order requiring federal agencies to share cyber threat information with private companies.